Graphql-yoga: Apollo Server and CSRF protection.

Created on 28 Aug 2018  路  4Comments  路  Source: dotansimha/graphql-yoga

Guys,

I am really sad not seeing any results in these issues if I look for the word: "CSRF".

I read a lot around:

  1. https://github.com/pillarjs/understanding-csrf
  2. https://security.stackexchange.com/questions/10227/csrf-with-json-post
  3. https://stackoverflow.com/questions/11008469/are-json-web-services-vulnerable-to-csrf-attacks
  4. (Nothing on the ApolloServer site: https://www.apollographql.com/docs/apollo-server/)

However, I am not yet able to understand if our endpoint ("/graphql") is protected for this type of attack or if it is necessary to protect it with solutions like this: https://github.com/expressjs/csurf.

The thing that is not clear to me is that here: https://github.com/pillarjs/understanding-csrf they say:

When you're using CSRF tokens incorrectly:
...
Adding them to JSON AJAX calls
As noted above, if you do not support CORS and your APIs are strictly JSON, there is absolutely no point in adding CSRF tokens to your AJAX calls.

If we restrict our endpoint to just use Content-Type: application/json are we safe?

Most helpful comment

No stale, @stale, please.

All 4 comments

I'll love to have that feature implemented.

Due to inactivity of this issue we have marked it stale. It will be closed if no further activity occurs.

Hey :wave:, It seems like this issue has been inactive for some time. In need for maintaining clear overview of the issues concerning the latest version of graphql-yoga we'll close it.
Feel free to reopen it at any time if you believe we should futher discuss its content. :slightly_smiling_face:

No stale, @stale, please.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

ahmedosama5200 picture ahmedosama5200  路  4Comments

asci picture asci  路  3Comments

checkmatez picture checkmatez  路  5Comments

woss picture woss  路  5Comments

chakrihacker picture chakrihacker  路  5Comments